Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sat, 26 Aug 2017 21:15:37 +0200
Message-id: <[🔎] 4391755295205790919@scdbackup.webframe.org>
In-reply-to: <[🔎] 26082017191750.dc420e2cc341@desktop.copernicus.org.uk>
References: <[🔎] 26082017191750.dc420e2cc341@desktop.copernicus.org.uk>

Hi,

Brian wrote:
> echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1

The quality criterion is the ease or difficulty to guess the 'secretpassword'
by a skilled enumerator and the fact whether your attacker knows the rest
of your processing pipeline.

If your secretpassword itself is enumerated late, then the attacker needs
a lot of tries.

If you keep the further processing secret, then the attacker will have to
try several hash algorithms with each enumerated input string. Quite hard
to guess would be if you replace sha256sum by an encryption program with
a key which you successfully keep secret.

If you stay with sha512sum:
The combination of sha256sum and base64 inflates the string length before
it gets cut to 30 characters length. So you actually throw away good bits
which would elsewise fit into the 30 characters.
It would be better to convert sha512sum output from hex to binary before
applying base64 to make it printable. This brings a maximum of sha256sum
bits into the 30 character result.


Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>

References:
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: One-line password generator
Next by Date: Re: security issues
Previous by thread: Re: One-line password generator
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread